Latest News


Latest News.

Avatar
Changing you Bitcoin Address on Transactions.
A Malware is around changing your Bitcoin Address when sending from your own Browser.

Everything You Should Know About Bitcoin Address.
A wallet address, comprising a string of 26-35 alphanumeric characters, is all it takes to send and receive bitcoin. Any bitcoin address can be used to transfer cryptocurrency to any other address on the network, provided the sender’s wallet software supports that address type.
Avatar

Avatar
Iran Embraces Crypto to Circumvent U.S. Sanctions.
The Iran economic commission has approved a cryptocurrency mining regulatory mechanism. This is according to an announcement made by the nation’s Chamber of Commerce. The long-awaited framework is set to be tabled in parliament for formal consent and ratification as a law..

Earn Bitcoin for FREE .!. Its Possible.
Many people are afraid of using they hard working money to buy or invest in cryptocurrency and that is ok, but there are many ways to earn crypto without using your money, this is a free way and you don't have to do nothing different that what you already do.
Avatar

Venezuelan Airport using Bitcoin to Evade US Sanctions.
While the Trump administration continues to tighten its economic grip on nations of the world, Venezuelan President Nicolás Maduro has started to push back by using Bitcoin to circumvent US financial restrictions.
Avatar

Avatar
Real Decentralized, Secure and 100% Private Platform.
Utopia is a secure, decentralized ecosystem that utilizes unique peer-to-peer network architecture. There is no central server involved...

WHAT IS BINANCE COIN?
Binance held its ICO in July 2017. From there, the exchange decided to issue its own coin called, you’ve guessed it, Binance Coin. Its symbol: BNB. According to its website, BNB runs natively on Binance chain.
Avatar

Bitcoin Paper Wallet Vulnerability That Gave Same Key to Multiple Users.
A paper wallet is an offline mechanism for storing Cryptocurrency like Bitcoin. The process involves printing the private keys and Bitcoin addresses onto paper. Physical wallets, also known as "physical Bitcoins".
Avatar

Avatar
Send Receive Bitcoin & Litecoin on facebook Messenger, WhatsApp, Telegram and SMS.
Starting now, you can send and receive bitcoin and litecoin on Whatsapp. The giant messaging platform aims to lower the entry barrier for the average person to use cryptocurrencies.

Oldies are Back.

Bitcoin Time Traveler Real History from 5 Years Ago.
Please move on if you don’t believe me, I have no way of proving I’m going to tell you. I don’t want to waste your time, so I’m merely going to explain what happened and its consequences. The value of Bitcoin has increased by about a factor ten, on average, every year until 2013.
Avatar

Avatar
June 2018 News Updates .
Buy Crypto Dip, Digibyte Ranked to 46th, Airlines taking Crypto, Cryptocurrency Hack, New Exchange Launch, Swift & Ripple Fight, Binance Offer FIAT, Exchange Ban Cryptos Coins, IOTA & VW, more.

Facebook esta explorando para hace su propia Cripto Moneda .
Se informa que Facebook está "explorando" la creación de su propia criptomoneda, informó el 11 de mayo el medio de comunicación Cheddar. Según fuentes anónimas de Cheddar, personas "familiarizadas con los planes de Facebook"
Avatar

Avatar
Google Chrome Going Down Switch to Brave Browser.
Google is planning to restrict modern ad blocking Chrome extensions to enterprise users only, according to 9to5Google. This is despite a backlash to an announcement by Google in January proposing changes that will stop current ad blockers from working efficiently.

Avatar
Google Gmail Want More Personal Data From You.
Google is bringing AMP to gmail not for your convenience or to increase speed, but to change your mailbox into a platform for marketer so that the Ads jumps into your face.

Coinbase Start it Visa Card for UK & EU.
Major American cryptocurrency exchange Coinbase has launched Coinbase Card, that enables its United Kingdom-based customers to pay in-store and online with cryptocurrency. The development was announced in a blog post published on April 10.
Avatar

Avatar
Decentralized Stable Coin backed with Bitcoin.
This decentralized stablecoin, uses algorithns that offer high stability and its backed by Bitcoin and not like USDT that is an empty promise coin, in our searching found its backed by Bitcoin also found on the white paper that it will added the top 10 crypto also to be backed.

Walmart Stable Coin.
Banks Stopped Walmart Bank, Now the Retail Giant Hits Back With Crypto. it was discovered that the giant retail corporation Walmart has patented plans for a stablecoin that’s backed by U.S. dollars. If released into the wild, the USD-based cryptocurrency would be issued to select Walmart retailers and partners....
Avatar
Posted by at No comments:

Stealing Your Bitcoin Transactions from Your Own Browser


Masad Stealer: Exfiltrating using Telegram

masad_ad_blackmarket1.png
Juniper Threat Labs discovered a new Trojan-delivered spyware that uses Telegram to exfiltrate stolen information. Using Telegram as a Command and Control (CnC) channel allows the malware some anonymity, as Telegram is a legitimate messaging application with 200 million monthly active users. 
The malware is being advertised on black market forums as “Masad Clipper and Stealer”. It steals browser data, which might contain usernames, passwords and credit card information. Masad Stealer also automatically replaces cryptocurrency wallets from the clipboard with its own.
Masad Stealer sends all of the information it collects - and receive commands from - a Telegram bot controlled by the threat actor deploying that instance of Masad. Because Masad is being sold as off-the-shelf malware, it will be deployed by multiple threat actors who may or may not be the original malware writers.

What it does 

This malware is written using Autoit scripts and then compiled into a Windows executable. Most samples we have seen are about 1.5 MiB in size, however, Masad Stealer can be found in larger executables as it is sometimes bundled into other software.
When Masad Stealer is executed, it drops itself in %APPDATA%\folder_name}\{file_name}, where folder_name and file_name are defined in the binary. Examples include amd64_usbhub3.inf.resources and ws2_32.exe, respectively. As a persistence mechanism, mMasad Stealer creates a scheduled task that will start itself every one minute.
schtask.png
Stealing routine
After installing itself, Masad Stealer starts by collecting sensitive information from the system, such as:
Cryptocurrency Wallets
PC and system information
Credit Card Browser Data
Browser passwords
Installed software and processes
Desktop Files
Screenshot of Desktop
Browser cookies
Steam files
AutoFill browser fields
Discord and Telegram data
FileZilla files
It zips this information into a file using 7zip utility, which is bundled into the malware binary.
stolen_info.png

The above screenshot is a view of what Masad Stealer tries to exfiltrate from a sandbox. But the data that it can exfiltrate can expand to the following list:
stolen_info_complete.png
Using a hardcoded bot token, which is basically a way to communicate with the Command and Control bot, Masad Stealer sends this zip file using the sendDocument API.
sendDocumentAPI.png
In order to communicate with the Command and Control bot, Masad Stealer first sends a getMe message using the bot token to be able to confirm that the bot is still active. Upon receiving this request, the bot replies with the user object that contains the username of the bot. This username object is useful for identifying possible threat actors related to this malware. This is an important consideration because of the off-the-shelf nature of this malware - multiple parties will be operating Masad Stealer instances for different purposes.
telegram_bot_getme.png
Where the bot’s token is “719604859:AAE3Pg_oJ8cPgTxKzDtysU-3Zpj6hsBxNqI”.

Clipping Routine

This malware includes a function that replaces wallets on the clipboard, as soon as it matches a particular configuration. Below are the regular expressions and supported wallets that it matches against the clipboard data:
clipping_regex.png
Below is a list of coins/wallet it tries to clip:
Monero
Bitcoin Cash
Litecoin
Neo
Web Money
ADA
ZCASH
DogeCoin
Stratis
QIWI Pay
Bicond
Waves
Reddcoin
Qtum
Payeer
Bytecoin
Bitcoin
Black Coin
VIA
Steam Trade Link
Bitcoin Gold
Emercoin
Lisk
Ethereum
Dash
Ripple
Yandex Money
If the clipboard data matches one of the patterns coded into Masad Stealer, the malware replaces the clipboard data with one of the threat actors’ wallets, which are also found in its binary. Below are the bitcoin and monero wallets found in one of the samples:

Bitcoin: 1AtwyYF2TGR969cyRDrR2XFDqSPzwCXKfe

Monero: 42Mm9gjuUSmPNr7aF1ZbQC6dcTeSi1MgB1Tv41frv1ZRFWLn4wNoLH3LDAGn9Fg2dhJW2VRHTz8Fo9ZAit951D2pDY8ggCR

Below is a snapshot of the bitcoin wallet transaction, as of this writing. This wallet has already received around $9,000 USD equivalent of bitcoins (as of Sept 15, 2019), which may or may not come from the activity of this malware.
sample_fraudulent_bitcoin_wallet.png

Attack Vector

Based on our telemetry, Masad Stealer’s main distribution vectors are masquerading as a legitimate tool or bundling themselves into third party tools. Threat actors achieve end user downloads by advertising in forums, on third party download sites or on file sharing sites. Below are the currently known list of software that Masad Stealer has been seen mimicking:
ProxySwitcher (legitimate version here: https://www.proxyswitcher.com/)
CCleaner.exe (legitimate version here: https://ccleaner.com/)
Utilman.exe (legitimate version comes with Windows)
Netsh.exe (legitimate version comes with Windows)
Iobit v 1.7.exe (legitimate version here: https://www.iobit.com/)
Base Creator v1.3.1 [FULL CRACK].exe (there is no legitimate version)
EXEA HACK CRACKED (PUBG,CS GO,FORTNITE,GTA 5,DOTA).exe ( there is no legitimate version)
 Icacls.exe (legitimate version comes with Windows)
WSManHTTPConfig.exe (legitimate version comes with Windows)
RADMIR CHEAT MONEYY.exe (there is no legitimate version)
Tradebot_binance.exe (legitimate version here: https://tradesanta.com/en)
Whoami.exe (legitimate version comes with Windows)
Proxo Bootstrapper.exe (this is actually a reasonably popular form of malware)
Fortniteaimbot  2019.exe (there is no legitimate version) 
Galaxy Software Update.exe (https://www.samsung.com/us/support/answer/ANS00077582/)


Download additional malware
 Some samples of Masad Stealer have the capability to download additional malware. We have seen samples that download other malware, usually a miner, from these URLs:
https://masadsasad[.]moy.su/base.txt (miner)
https://zuuse[.]000webhostapp.com/mi.exe (miner)
http://37[.]230.210.84/still/Build.exe
http://37[.]230.210.84/still/SoranoMiner.exe
http://187[.]ip-54-36-162.eu/steal.exe
http://bgtyu73[.]ru/22/Build.exe
The figure below is a response from the request to https://masadsasad[.]moy.su/base.txt. This response contains an executable file with modified header. In addition to connecting via TLS, the modified header is an added trick by the malware to hide itself.
download_miner.png


TLS streams are more difficult to inspect, helping to hide them from network-based security defenses. The modified header helps to hide the fact that the payload being downloaded is an executable from endpoint security products.

Threat Actors
This malware is being advertised in several hack forums as Masad Stealer. It starts with a free version and ladders up to versions asking up to $85, with each tier of the malware offering different features.
There is at least one dedicated website (masadproject[.]life) in existence to promote the sale of Masad Stealer. The developers have also created a Telegram group for their potential clients, and presumably to offer tech support.  At time of writing, this group has more than 300 members.
masad_telegram_support.png
Of the more than 1,000 samples we identified to be variants of this malware, there where 338 unique Telegram Command and Control bot IDs. From this data, we can estimate the number of threat actors - or at least the number of different campaigns being run using the Masad Stealer malware - and the size of their operations. We used the getMe API, along with the bot token, to identify the usernames. Among the top bot IDs are as follows:
Telegram Bot ID
Telegram Bot Username
Unique Hashes
bot610711208
potterk_bot
45
bot830353220
reaper228bot
24
bot661438794
RanisYolo19_bot
23
bot796671289
dfsklnjfmkdvehfsf454sdfbot
22
bot870978042
dawdvwabot
20
bot753197414
korote_bot
14
bot823037532
NA/Inactive
13
bot699800942
RcbBots_Bot
13
bot831297312
xAmytBot
13
bot883608782
bichpaket777_bot
12
bot656889928
notius_bot
12
bot813438470
idontknowubot
12
bot911603667
Masat_bot
11
bot963764792
NA/Inactive
11
bot930786995
reborntodes_bot
9
bot884837464
istrong_bot
9
bot646596033
SkyDen_bot
9
bot865594389
gnoy199519bot]
8

Previous versions of this malware (or possibly a direct ancestor) are called “Qulab Stealer”.

How does Juniper Networks protect you against this?

Juniper Advanced Threat Protection products JATP and Sky ATP use machine learning to be able to accurately identify malware. The following images show the Sky ATP detecting multiple variations of this malware.
skyatp_detecttions.png
The use of machine learning is critical to defending against this malware because of the number of rapid iterations it underwent throughout its development. Machine learning allows Juniper Connected Security to identify Masad Stealer variants as they emerge, helping to keep customers protected even before new strains have been identified.

Conclusion
Juniper Threat Labs believes that Masad Stealer represents an active and ongoing threat.  Command and Control bots are still alive and responding as of this writing, and the malware appears to still be available for purchase on the black market.
In order to protect your organization, make sure that you have a next generation firewall (NGFW) with Advanced Threat Protection. NGFWs have the ability to identify the Telegram protocol and block it, if there is no legitimate business use, while Advanced Threat Protection products offer other methods to detect and counteract this malware.
Juniper Sky ATP, in conjunction with our SRX firewall will block any client infected with Masad Stealer from reaching out to the Command and Control bot master. It will also block the download of the Masad Stealer malware files in the first place, offering both remediation and prevention capabilities.

Urls:

https://masadsasad[.]moy.su/base.txt 

 https://zuuse[.]000webhostapp.com/mi.exe

 http://37[.]230.210.84/still/Build.exe

 http://37[.]230.210.84/still/SoranoMiner.exe

 http://187[.]ip-54-36-162.eu/steal.exe

 http://bgtyu73[.]ru/22/Build.exe
All Credit to  ,
from Juniper.net

Posted by at No comments:
Subscribe to: Posts (Atom)